HCL CAMWorks
Published

5 Best Practices for Manufacturing Cybersecurity

A Department of Defense (DoD) push to protect data by vetting suppliers more thoroughly illuminates how any CNC machining business can improve. 

Share

Leaders-In background

Is your customers’ data secure? Most leaders of CNC machining businesses likely would say “yes,” but answering in the affirmative is no longer enough for those seeking sensitive defense-industry work. The struggle to meet new government standards shows the extent to which basic cybersecurity best practices can differentiate not only these manufacturers, but virtually any shop trusted with sensitive data. 

 

Our expansive July 2019 issue cover story, “How to Become a Defense Supplier,” touched on more than cybersecurity.

This was the subject of a recent conversation with David Watts, solution consultant at Avatara, an information technology firm that is focusing on helping small- and mid-sized manufacturers meet new Department of Defense (DoD) requirements. More specifically, Avatara is helping DoD suppliers prepare for Cybersecurity Maturity Model Certification (CMMC). While current regulations dictate that DoD suppliers constantly track and update their own security policies and report on progress, the new CMMC requires answering to third-party auditors, and doing so prior to the awarding of a contract rather than after the fact. “A lot of manufacturers are going to be caught flat-footed,” Mr. Watts says.

National security implications aside, Mr. Watts says a crisis for some can present opportunity for others. Based on Avatara’s experience with customers so far, the most significant areas of weakness involve practices and procedures that are rudimentary by modern cybersecurity standards, even if they take time and effort to implement. As he puts it, “If you don’t do this stuff, you’re nowhere near ready for CMMC. But really, a lot of it could be viewed as basic best practices for anyone.” Examples include:  

Training Regularly

Although the specifics had not been published at the time of this writing, the CMMS builds directly on the current National Institute for Technology (NIST) 800-171 standard, which already specifies training for key employees. “You’ll have to show the auditors, ‘Here are the training sessions, here are which ones we passed and failed, and here’s what we’re doing about it if we failed,’” Watts says.

Even without auditing, staying up to date is essential because threats are ever-evolving, he says. For example, security technology might not be enough for shops that do not appreciate the power of social engineering tactics. Phishing, or the sending of fake emails to obtain passwords or other information, is a classic example. “Just having a firewall in place is not enough to prevent that,” he says, adding that formal training should include practicing fake attacks. “It’ll tell you ‘Bob clicked this link seven times,’ and then you can tailor your training to Bob.’”

Requiring Strong Passwords

Password policies — that is, the rules governing what makes a good password — could explain part of the reason for the prevalence of tactics like phishing. Mr. Watts says that following best practices for passwords is a requirement for CMMC Level 3, the minimum level of certification for most CNC machining businesses seeking DoD contracts. Examples include requirements for certain numbers of characters and symbols; requirements that passwords change regularly; limits on using identical passwords; and limits on log-in attempts.

Requiring Multi-Factor Authentication

Multi-factor authentication refers to the use of multiple means — that is, more than just a password — to verify that users are who they say they are. For instance, a bank might ask for both a log-in ID and the answers to personal security questions. This is good practice in general, but necessary for CMMC, Mr. Watts says.

Monitoring for Threats

As is the case with current NIST standards, CMMC requires monitoring incoming and outgoing data to detect attacks and potential indicators of attacks, Mr. Watts says. Examples include malicious code, communications with external systems, unusual traffic patterns and so forth. Likewise, records of data crossing a network are necessary to identify attackers, weak points and more in the event of a security breach.   

Considering Security Beyond the Virtual

One of the simplest ways to steal sensitive data is to simply plug a USB stick into a computer or server. For its part, Avatara maintains all customers’ data in a private data center environment. Servers lack a port for any removable media, and are locked behind biometric access points and defended by armed guards. Manufacturers that opt to maintain their own information technology infrastructure may not go to these lengths, but precautions might be warranted even if the risk is more to a shop’s own financials rather than national security.  

HCL CAMWorks
ProShop
Techspex
Starrett W9400 Touch Screen Indicator
Hurco
715 Series - 5-axis complete machining
Innovative Manufacturing for the Medical Industry
World Machine Tool Survey
DN Solutions
DANOBAT
MWI
High Accuracy Linear Encoders

Related Content

Give Job Shop Digitalization a Customer Focus

Implementing the integrated digital technologies and automation that enhance the customer's experience should be a priority for job shops and contract manufacturers.

Read More

Protecting Your Automation Investments

Shops need to look at their people, processes and technology to get the most of out their automation systems.

Read More
Sponsored

How this Job Shop Grew Capacity Without Expanding Footprint

This shop relies on digital solutions to grow their manufacturing business. With this approach, W.A. Pfeiffer has achieved seamless end-to-end connectivity, shorter lead times and increased throughput.

Read More

Shop Quotes Smarter, Works Harder with Machine Monitoring

Temco first installed MT-LINKi to optimize quoting. Now, the software helps the shop optimize its machines — and machine purchases.

Read More

Read Next

Data-Driven Manufacturing

When It Comes to Cybersecurity, Be Scared, but Be Prepared

Warnings about threats to internet-enabled networks in manufacturing plants should be taken seriously without giving in to alarmist overreactions. The risks are real, but manageable, while the benefits are too compelling to forego.

Read More
Data-Driven Manufacturing

Cybersecurity for Job Shops

Small and medium-size machining job shops can take steps to protect computerized or networked assets such as CNC machines from cyber attacks. 

Read More
HCL CAMWorks